1. Field of the Invention
The present invention relates to digital cellular communication systems, and more particularly to a method and apparatus for enhancing the security of data communications within such a system.
2. History of the Prior Art
Cellular radio communications is, perhaps, the fastest growing field in the world-wide telecommunications industry. Although cellular radio communication systems comprise only a small fraction of the telecommunications systems presently in operation, it is widely believed that this fraction will steadily increase and will represent a major portion of the entire telecommunications market in the not too distant future. This belief is grounded in the inherent limitations of conventional telephone communications networks which rely primarily on wire technology to connect subscribers within the network. A standard household or office telephone, for example, is connected to a wall outlet, or phone jack, by a telephone cord of a certain maximum length. Similarly, wires connect the telephone outlet with a local switching office of the telephone company. A telephone user's movement is thus restricted not only by the length of the telephone cord, but also by the availability of an operative telephone outlet, i.e. an outlet which has been connected with the local switching office. Indeed, the genesis of cellular radio systems can be attributed, in large part, to the desire to overcome these restrictions and to afford the telephone user the freedom to move about or to travel away from his home or office without sacrificing his ability to communicate effectively with others. In a typical cellular radio system, the user, or the user's vehicle, carries a relatively small, wireless device which communicates with a base station and connects the user to other mobile stations in the system and to landline parties in the public switched telephone network (PSTN).
A significant disadvantage of existing cellular radio communication systems is the ease with which analog radio transmissions may be intercepted. In particular, some or all of the communications between the mobile station and the base station may be monitored, without authorization, simply by tuning an appropriate electronic receiver to the frequency or frequencies of the communications. Hence, anyone with access to such a receiver and an interest in eavesdropping can violate the privacy of the communications virtually at will and with total inpunity. While there have been efforts to make electronic eavesdropping illegal, the clandestine nature of such activities generally means that most, if not all, instances of eavesdropping will go undetected and, therefore, unpunished and undeterred. The possibility that a competitor or a foe may decide to "tune in" to one's seemingly private telephone conversations has heretofore hindered the proliferation of cellular radio communication systems and, left unchecked, will continue to threaten the viability of such systems for businesses and government applications.
It has recently become clear that the cellular radio telecommunications systems of the future Will be implemented using digital rather than analog technology. The switch to digital is dictated, primarily, by considerations relating to system speed and capacity. A single analog, or voice, radio frequency (RF) channel can accommodate four (4) to six (6) digital, or data, RF channels. Thus, by digitizing speech prior to transmission over the voice channel, the channel capacity and, consequently the overall system capacity, may be increased dramatically without increasing the bandwidth of the voice channel. As a corollary, the system is able to handle a substantially greater number of mobile stations at a significantly lower cost.
Although the switch from analog to digital cellular radio systems ameliorates somewhat the likelihood of breeches in the security of communications between the base station and the mobile station, the risk of electronic eavesdropping is far from eliminated. A digital receiver may be constructed which is capable of decoding the digital signals and the original speech. The hardware may be more complicated and the undertaking more expensive than in the case of analog transmission, but the possibility persists that highly personal or sensitive conversations in a digital cellular radio system may be monitored by a third party and potentially used to the detriment of the system users. Moreover, the very possibility of third parties eavesdropping of a telephone conversation eliminates cellular telecommunications as a medium for certain government communications. Certain business users may be equally sensitive to even the possibility of a security breech. Thus, to render cellular systems as viable alternatives to the conventional wireline networks, security of communications must be available on at least some circuits.
Various solutions have been proposed to alleviate the security concerns engendered by radio transmission of confidential data. A known solution, implemented by some existing communication systems, uses cryptoalgorithms to encrypt (scramble) digital data into an unintelligible form prior to transmission. For example, the article entitled "Cloak and Data" by Rick Grehan in BYTE Magazine, dated June 1990 at pages 311-324, for a general discussion of cryptographic systems. In most systems currently available, speech is digitized and processed through an encryption device to produce a communications signal that appears to be random or pseudo-random in nature until it is decrypted at an authorized receiver. The particular algorithm used by the encryption device may be a proprietary algorithm or an algorithm found in the public domain. Further background for such techniques may be found in the article entitled "The Mathematics of Public-Key Cryptography" by Martin E. Hellman in Scientific American dated August 1979 at 146-167.
One technique for the encryption of data relies on "time-of-day" or "frame number" driven keystream generators to produce keystreams of pseudo-random bits which are combined with the data to be encrypted. Such keystream generators may synchronized to a time of day counter, i.e. hour, minute and second, or to a simple number counter and the encryption and decryption devices may be synchronized by transmitting the current count of the transmitter counter to the receiver in the event one falls out of synchronization with another.
To increase the security of communications in systems utilizing time-of-day or frame number driven keystream generators, the value of each bit in the pseudo-random keystream is preferably made a function of the values of all the key bits in an encryption key. In this manner, a person desiring to descramble the encrypted signal must "crack" or "break" all of the bits of the encryption key which may be in the order of fifty (50) to one hundred (100) bits or more. A keystream of this type is generally produced by mathematically expanding the encryption key word in accordance with a selected algorithm which incorporates the count of the time-of-day counter. However, if every bit of the encryption key is to influence every bit in the keystream and if the keystream is to be added to the data stream bits on a one-to-one basis, the required number of key word expansion computations per second is enormous and can readily exceed the real time computational capability of the system. The co-pending application entitled "Encryption System for Digital Cellular Communications", referred to above, achieves such expansion Of the keystream with conventional microprocessors and at conventional microprocessor speeds.
The use of an encryption key to generate a pseudo-random keystream which is a complex function of all the key bits is a very useful tool for securing digital communications. Other tools may include arrangements for ensuring that the secret key assigned to each mobile station (the permanent key) is never directly used outside of the home network, i.e., the normal service and billing area of the mobile station. Instead, the permanent key is used to generate other bits (the security key) which are used for enciphering a particular call and which may be transmitted from the home network to a visited network, i.e., an area other than the normal billing area into which the mobile station has roamed. Such arrangements reduce the risk of unauthorized disclosure of the permanent secret key to a third party which may use that key to defeat the encryption process.
Yet another tool for securing communications in a digital cellular system is the authentication of mobile stations at registration, call initiation or call reception. Authentication may be simply viewed as the process of confirming the identity of the mobile station. Both authentication and encryption require communication between the visited network and the home network, where the mobile station has a permanent registration, in order to obtain mobile-specific information such as the security key used for encryption. According to the present invention, the functions of authentication and encryption are linked so that a single inter-network transaction establishes both functions. As described in detail hereafter, the present invention achieves such integration by generating, in the same transaction, not only a key-dependent response (RESP) to a random challenge (RAND), but also the security key (S-key) used to encipher user traffic.
In the American Digital Cellular (ADC) system currently under development, only the air interface is directly specified. Nevertheless, the specification of desirable security functions within the ADC system, e.g., authentication and encryption, can indirectly determine the network security architecture. With respect to authentication, the architecture options relate to whether the authentication algorithm should be executed in the home network or, alternatively, in the visited network. A choice between the two options is necessary for the defintion of a suitable algorithm because the possible input parameters to the algorithm which are available in the home network may not necessarily be the same as those which are available in the visited network. As explained hereafter, the present invention takes account of the significant security benefits which attach to the execution of the authentication algorithm in the home network.
A serious problem in existing cellular systems may be referred to as the "false mobile station" syndrome. Heretofore, it has been possible to copy the entire memory contents of a mobile station and to use that information to manufacture clones which can demand and receive service from the network. One proposed solution is to provide each authorized mobile station with a specific authentication module, or smart card, which has write-only access for the permanent key. This solution, however, renders the mobile station more complex and more expensive. The present invention includes a "rolling key" which provides a more cost effective safeguard against the threat of false mobile stations. In addition, to meet the threat of "false base station" in the network, the present invention includes a bilateral authentication procedure which may be used when the rolling key is updated. This two-way authentication procedure enhances security and permits bilateral authentication to be performed on the dedicated traffic channels of the system at any time during a call. Each authentication step may be performed at the option of the network operator, but must be performed at least once after the active presence of a mobile station is first detected within a network so as to generate an S-key for the first call.
A mobile station may occassionaly roam into a small, isolated visited network which lacks the communications links with the home network needed to support authentication and encryption in accordance with the general system of the present invention. Such a visited network may choose to accept a call or registration from the mobile station without performing authentication and to indicate by means of a bit in the traffic channel definition that the mobile identification number (MIN) of the mobile station may be used as a default S-key.
The system of the present invention will be set forth below in connection with an overall digital cellular system and a system for generating a pseudo-random keystream for use in enciphering traffic data in the cellular system. Where appropriate or useful for purposes of background and/or comparison, reference will be made to the EIA/TIA Interim Standard, "Cellular System Dual-Mode Mobile Station-Base Station Compatibility Standard", IS-54, May 1990, published by the Electronic Industries Association, 2001 Pennsylvania Ave., N W , Washington, D.C. 20006 (hereinafter referred to as "IS-54" and hereby incorporated by reference herein).